An Anatomy of A Nice Phish
I fear we will never robustly stop phishing, as much because we seem to insist on training users to be phished. Even generic phishing has a tendency to work, and I just received a particularly nice one that is worth examining in detail.
First the bait:
Yes, this is a very generic and unremarkable phish. But at the same time, how many of this sort of email has one seen on a regular basis that is legitimate?
There is also some amusement in how the phish is actually implemented. The link is bit.ly (naturally), which redirects to a .php script on a (presumably hacked) real estate web site. But that link is interesting:
<html><head><META HTTP-EQUIV=”Refresh” CONTENT=”1;URL=https://dl.dropboxusercontent.com/s/pziendhh708cx0z/akomesh-000001-0000.html?dl=0"></head><p><p>
Yes, it loads the actual phishing page from dropbox! And instead of just rendering the page, this bit (conveniently hosted on Dropbox) hides itself by doing yet another meta refresh, so that the content is actualyl in the URL bar!
<meta http-equiv=”Refresh” content=”0; url= data:text/html;charset=utf-8;base64,PFNjcmlwdCBMYW5ndWFnZT0nSmF2YXNjcmlwdCc+DQo8IS0tIEhUTUwgRW5jcnlwdGlvbiBwcm92
The phishing itself actually goes to a second part where it wants the phone number, before redirecting to dropbox itself.
Some overall thoughts
1: We’ve trained people to be phished. The bait email looks remarkably similar to what Dropbox sends to people for legitimate purposes, and a little bit of social graph mining and you too can make fake Dropbox emails that really look like the real thing.
2: Dropbox can get an idea of how successful this phish is, at least in terms of page views, since the phishers hosted the dropbox phish on dropbox!
3: Anti-spam techniques may be working (mostly) in terms of preventing “unauthorized” sending. It looks like this was through a compromised account rather than created from whole cloth.
5: Did I mention how much we’ve trained users to be phished? Look at this legitimate email:
How is a typical user supposed to know this is legitimate? The last 4 digits of a credit card #? How long until a criminal service offers that data (if they haven’t already?) And this business about “Email security zone”? It’s not like DKIM validated…
Authentication-Results: maihub.ICSI.Berkeley.EDU (amavisd-new); dkim=softfail
(fail, message has been altered) [email protected]
Authentication-Results: maihub.ICSI.Berkeley.EDU (amavisd-new);
domainkeys=softfail (fail, message has been altered)
Yeup, that checks out…